Author Topic: One simple trick for passwords the big companies don't want you to know about!  (Read 3367 times)

0 Members and 1 Guest are viewing this topic.

Offline bloguetronica

  • Frequent Contributor
  • **
  • Banned!
  • Posts: 354
  • Country: pt
  • Country: pt
Better yet: generate a random password for each site/service and use a password manager under Linux. I may be able to build a pseudo-random number generator that uses pressure, temperature, humidity and time garbled as a seed to generate random info.

Kind regards, Samuel Lourenço
 

Offline windsmurf

  • Frequent Contributor
  • **
  • Posts: 571
  • Country: us
  • Country: us
Basically what you're doing is creating a salt using a fixed password, and then adding your own details for each website.  Most password hash algorithms already do this, but adding your own solves the problem that if you use the same password everywhere, cracked password on site A compromises everything.  Also poor sites that just use a simple (unsalted) hash are potentially the worse.  I worked in a place like that at one point (they've long since changed), and I had got to the point where I could recognize the md5 for a number of common passwords (like 1234, qwerty, & Password)

If you did something like make your base password "Secret1" and then your email password "Secret1gmail" and your banking password "Secret1money", etc etc, you're way way way further ahead than just using gmail and money as passwords.

However, as xkcd point out, just a string of random words provides more entropy.

Yes.... I think the point was, this makes it easy to recall/remember your passwords for alll your sites. 
The problem you'll run into with this is when password changes are required.  Some sites do require password changes at regular intervals.  Other times one of them might suddenly require a password change due to a security incident.  You'll need to change your algorithm and change passwords at all the sites, or  have custom algorithms for each of the sites, which defeats the purpose...
 

Offline Beamin

  • Super Contributor
  • ***
  • Posts: 1377
  • Country: us
  • Country: us
  • If you think my Boobs are big you should see my ba
A system I have considered is to use a book code, pick a random book, use the method Beamin described to derive a page number in the book (might have to do modulo number of pages), then you take the third letter of the first/last/third word on each page, and so on. That way you can have passwords that are hard to guess and you don't have to have them written down anywhere. Might want to keep two copies of the book in different places though.


Or make that book the bible and instead of pages use verse so your password is always as close as the nearest hotel room.


Sure you brain might be bad at making passwords but for most of us we are not going to have people target just us individually.
Max characters: 300; characters remaining: 191
Images in your signature must be no greater than 500x25 pixels
 

Offline golden_labels

  • Regular Contributor
  • *
  • Posts: 93
  • Country: pl
  • Country: pl
Using dictionary words (such as "Capital" and "One") are a bad idea overall.
There is one important thing to note. The term “dictionary password” does not refer to a dictionary as in “English language dictionary”. It refers to a dictionary attack. For example “constantinopolitan” is certainly found in English dictionaries, but even in all-lowercase form had(1) relatively low chances of ending up in a dictionary used for an attack(2). On the contrary, “correct horse battery staple” (with or without spaces etc.) is already a well-known dictionary password, and so are “dupa.8”(3) and “zaq12wsx”.

Think of “dicationary password” as a synonym for a password, that could potentially be found with high probability in a relatively small subset of passwords. This is how a dictionary attack works. The attacker compiles a “small” list4 of passwords, the dictionary. It contains passwords that are, in author’s opinion, most likely to be right. The dictionary may consist of already leaked passwords, which is a good strategy, because humans overestimate their brain’s ability to generate good passwords and it is likely that many other people will use the same “unique and completely unguessable” password. The dictionary may contain fully generated passwords, if the generation algorithm is known: 4-digit credit card PINs have very uneven distribution, entry gate PINs are often made to be “easy to memorize” (which limits them to a set much smaller than the full 10000), hotspots for clients typically ue “<company-name><simple-suffix>” and so on. They may be copied from well-known sources, from which people take “random passwords”: for example the Bible, popular stories, poems, songs or well-known tretise. Sometimes many methods are combined: e.g. a words list may be modified by replacing ‘S’ with ‘$’, changing case, adding digits here and there or similar.

The only known method to counter the dictionary attack is increasing password space so much that compiling a dictionary, which would have any useful yield, is prohibitely costful. And this is where high password entropy comes into play.

____
(1) Past tense; it stopped having that property the very moment I pressed the “Post” button. ;) So do not use it.
(2) But not low enough to be considered good security-wise, if all possible scenarios are taken into account. In an average, low cost per victim attack it is unlikely to see it, but increase the allowed cost a bit and the attacker will break it.
(3) At least for Polish targets.
(4) Small relative to the possible passwords space. The dictionary may reach terabytes in size.
« Last Edit: June 03, 2019, 08:07:43 pm by golden_labels »
Worth watching: Calling Bullshit — protect your friends and yourself from bullshit!
 

Online Zbig

  • Frequent Contributor
  • **
  • Posts: 854
  • Country: pl
  • Country: pl
I too had a similar brilliant idea and thought such a "system" was super clever... when I was 15 :P It is naïve to believe that and a poor advice. Sure, better than the same password for everything but still nowhere near secure. For me, a KeePass implementation on my computer and mobile device, syncing to single "cloud" location, does the trick. This way I always have an up-to-date database with me, no matter where I update it.
 

Online rhb

  • Super Contributor
  • ***
  • Posts: 2611
  • Country: us
  • Country: us
NOTE: This message has been deleted by the forum moderator Simon for being against the forum rules and/or at the discretion of the moderator as being in the best interests of the forum community and the nature of the thread.
If you believe this to be in error, please contact the moderator involved.
An optional additional explanation is:
« Last Edit: June 04, 2019, 11:31:38 am by Simon »
 

Online rhb

  • Super Contributor
  • ***
  • Posts: 2611
  • Country: us
  • Country: us
NOTE: This message has been deleted by the forum moderator Halcyon for being against the forum rules and/or at the discretion of the moderator as being in the best interests of the forum community and the nature of the thread.
If you believe this to be in error, please contact the moderator involved.
An optional additional explanation is: Quoted deleted text which is irrelevant/inappropriate.

Rudeness is uncalled for.

Tim

Please review the conduct of the OP.
« Last Edit: June 06, 2019, 08:36:33 am by Halcyon »
 

Offline vk6zgo

  • Super Contributor
  • ***
  • Posts: 4791
  • Country: au
  • Country: au
You seem confused, rambling, and tangential. 

"Password" was used as the password by the head of the DNC and probably contributed to the hacking of its computers.

Beamin is confused and off on a tangent?

You brought the political BS into the discussion and created that tangent.

Anyway, passwords,

I'm one of those people who can remember car registration numbers for all sorts of things, the Black BMW that cut me up at the roundabout 6 weeks ago, the really nice old Morris Traveller in duck egg blue, etc. etc.

So, car registration numbers, plus something of the colour, the make, the model and a smattering of special characters.
On a "working holiday" in the UK in 1971, my mate & I bought two "old bangers".

The first was an Austin A95, rego number VAA84, colour, maroon.
This wasn't too bad, but used petrol like it had its own Middle Eastern country, so we replaced it with a dark blue "100E"  Ford Popular, rego number 190WEV.( Ohh bummer! I can't use those as passwords, now!)

The funny thing is, I can remember details about those cars, but ask me about the street addresses I lived at, & my mind is a blank!
Quote

Edited :-Removed the crosshatch symbols, just in case they activate the "hashtag"feature.

Those and custom chip part numbers, the in-house marking of parts in custom computers, IBM bits, all sorts of random stuff only an engineer would place any significance on all work for me.

But, as I need ever more passwords and I get older I find I need a password manager, I don't like the idea of a piece of software that might be on one machine or could be compromised so I've been considering building myself something.

A nice little OLED display in a pocket sized case, perhaps about the size of an RSA ID fob, fingerprint reader and an ARM chip with a couple of buttons to 'scroll' through the list.

Maybe even give it USB connectivity so it can pretend to be a keyboard and 'type' the password for me, that'd make it possible to use impossible to remember, long passwords.

Another idea for the never to be completed pile of projects in notebooks
« Last Edit: June 04, 2019, 05:56:40 am by vk6zgo »
 

Offline CJay

  • Super Contributor
  • ***
  • Posts: 3303
  • Country: gb
  • Country: gb
  • M0UAW

Sounds like this:

https://www.themooltipass.com/

Sent from my Pixel 2 XL using Tapatalk
hah, yes, it does, very similar indeed.
« Last Edit: June 04, 2019, 01:31:09 pm by CJay »
M0UAW
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1668
  • Country: se
  • Country: se
  • Hobbyist
Sure, better than the same password for everything but still nowhere near secure.
There's no such thing as "secure" (as in perfect). It comes down to convenience vs risk. Security costs time, money and effort. What is naive is to think people will memorise a unique high entropy, perfectly randomly generated password for every website they use, and on top of that change them regularly. It just isn't practical. The end result is that people use a simple to remember, low entropy, password that they use everywhere which is the worst possible result (it's a well established fact).

By memorising only one password that is good, and add some bits using a system based on for example the domain name, you have gained a huge amount of security at very little cost, that is why it's a good idea.

But I think you should make sure the base password is good and the system isn't immediately obvious by someone who sees one version of your password (because a lot of websites store passwords in cleartext).

So should you use this? Well, it all depends on the risk. If you use the same password everywhere today it's a huge improvement. If you use it to protect passwords that are not important like a password to some game forum, or whatever, then why not. If you are the POTUS, then no, you should use something better (and pay a professional to help you). Should you use it for your bank password? no, use a better solution in that case. Cost vs risk.

Do I use such a system? Not anymore, because I'm a nerd and a bit paranoid and I like programming, math and encryption and such things. I wouldn't use one of those password programs either, because that is also not secure for various reasons. (In that case you are better off generating and storing passwords in a list you manage yourself as some others here do.) In the early days of the internet I used a fairly simple scheme so I din't have the same password everywhere at least, and I know for a fact it has saved my ass many times when forums and other websites have had their password databases stolen. It happens much more often (and from big "reliable" sites) than people think.
« Last Edit: June 04, 2019, 12:38:30 pm by apis »
 

Online Zbig

  • Frequent Contributor
  • **
  • Posts: 854
  • Country: pl
  • Country: pl
There's no such thing as "secure" (as in perfect). It comes down to convenience vs risk. Security costs time, money and effort. What is naive is to think people will memorise a unique high entropy, perfectly randomly generated password for every website they use, and on top of that change them regularly. It just isn't practical.

 :palm: That's why I recommended using a password manager, right? Also, I haven't said anything about regular password changes that I strongly oppose.

Do I use such a system? Not anymore, because I'm a nerd and a bit paranoid and I like programming, math and encryption and such things. I wouldn't use one of those password programs either, because that is also not secure for various reasons. (In that case you are better off generating and storing passwords in a list you manage yourself as some others here do.)

You call yourself a nerd yet you don't know what KeePass is? ;) It's not a web service like LastPass that is forcing you to use any web storage hosted by any particular provider. It's an open source application that works on a file-based database and you're free to host it wherever you want. If you want a self-hosted web-based solution, try Bitwarden. Dismissing well-established and verified products with an assumption that you know better and are better off hacking your own solution is the very common newbie's misconception as, like the countless roll-your-own-crypto horror stories tell, you probably do not and you aren't.
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1668
  • Country: se
  • Country: se
  • Hobbyist
Also, I haven't said anything about regular password changes that I strongly oppose.
No but it's more secure if you change your password regularly. I just meant that there is no way you can be 100% secure, you have to weight the cost vs the risk, there's always a trade-off.

You call yourself a nerd yet you don't know what KeePass is? ;) It's not a web service like LastPass that is forcing you to use any web storage hosted by any particular provider. It's an open source application that works on a file-based database and you're free to host it wherever you want. If you want a self-hosted web-based solution, try Bitwarden.
Nice to see there is a free open source alternative. I believed you had to pay for the cloud solutions/phone apps/etc. If they are free then it looks like a good solution as well!

Dismissing well-established and verified products with an assumption that you know better and are better off hacking your own solution is the very common newbie's misconception as, like the countless roll-your-own-crypto horror stories tell, you probably do not and you aren't.
Creating a (good) crypto is really hard, so not a good idea. Maybe I'm missing something but I believe those programs only manage a list of passwords for you (encrypted). I don't see the big problem with just having your own list (that you can encrypt if you like)? If you need more security than that you shouldn't be using either imo, but again, it's a lot better than using the same password everywhere. It always comes down to convenience vs risk.

Like I said in the previous post, if you need to protect something important you should hire a professional!

I don't really care if my personal password management solution is super safe (cost vs risk), it's safe enough for me (it's way overkill actually), and I enjoy rolling my own.
« Last Edit: June 04, 2019, 03:34:26 pm by apis »
 

Online Zbig

  • Frequent Contributor
  • **
  • Posts: 854
  • Country: pl
  • Country: pl
No but it's more secure if you change your password regularly. I just meant that there is no way you can be 100% secure, you have to weight the cost vs the risk, there's always a trade-off.

General consensus amongst security experts is it's anything but (further sources linked in the article if you don't trust Microsoft). Forcing regular password changes does more harm than good. Here's just a few reasons it's a generally bad idea:
  • It's a chore and annoys people. As such, they're more likely to come up with trivial, unsecure and easy to remember passwords and/or write them on a post-it note stuck to their monitor or a bottom of the drawer. Majority of people, when forced to change their password over and over again, usually at the least convenient moment possible, just do the bare minimum for the system to accept it. Read: they increase the number at the end.
  • A compromised password is a compromised password. If you're aware of a security breach or have to deal with a rogue employee, you invalidate the password immediately anyway. Waiting for the password to expire is not good enough.
  • Similarly, a non-compromised password is a non-compromised password. It doesn't get stale or lose its strength over time. You're doing a disservice to the user of a unique and strong password by forcing them to change it for no reason: chances are they'll now lean towards simpler, weaker p@$$w0rds11 from now on, just to be done with it. Nobody likes to waste their time and energy pointlessly.
  • My bank, one of the award-winning leaders of the banking innovation in my country, has forced me to change my password exactly once in some 19 years of me using their account, after there was a suspicion of a breach/data leak. I'm pretty sure they've done their homework properly.

Nice to see there is a free open source alternative. I believed you had to pay for the cloud solutions/phone apps/etc. If they are free then it looks like a good solution as well!
KeePass has became the de-facto standard for password managing, even in the corporate world. It's among the top subjects of the security researchers' scrutiny so there's pretty good chance you can't do much better than this. You can keep your database file on your disk, cloud storage drive (like OneDrive), WebDAV-accessible server or a floppy disk stored at the bottom of Mariana Trench - your call, totally up to you.

Creating a (good) crypto is really hard, so not a good idea. Maybe I'm missing something but I believe those programs only manage a list of passwords for you (encrypted). I don't see the big problem with just having your own list (that you can encrypt if you like)? If you need more security than that you shouldn't be using either imo, but again, it's a lot better than using the same password everywhere. It always comes down to convenience vs risk.

Like I said in the previous post, if you need to protect something important you should hire a professional!

I don't really care if my personal password management solution is super safe (cost vs risk), it's safe enough for me (it's way overkill actually), and I enjoy rolling my own.

Sure, if you enjoy rolling your own, I'm not going to argue with that; more power to you. But purpose-made passwords managers like KeePass are so much more than a simple list. You have a tree structure with as elaborate or as simple structure as you wish. You have password auto-typing, automatic clipboard handling, capable and fast search, flexible password generators, to only name a few. Just for fun, I've just fired-up my KeePass, entered its long and secure master password (it's a muscle memory now), searched for the EEVBlog forum entry, copied the password to clipboard and pasted it into the password box. It took me under 15 seconds and I'm usually quicker than that, while not under pressure of timing my actions. It really promotes proper password "hygiene".
« Last Edit: June 04, 2019, 04:38:08 pm by Zbig »
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1668
  • Country: se
  • Country: se
  • Hobbyist
Forcing regular password changes does more harm than good.
Yes I agree with that. That was sort of my point, trying to force expensive/complicated security solutions on people who doesn't need them is just going to make them circumvent the system and use something stupidly insecure instead. Better to promote something convenient they will use, than something fancy they will not.

Nice to see there is a free open source alternative. I believed you Sure, if you enjoy rolling your own, I'm not going to argue with that; more power to you. But purpose-made passwords managers like KeePass are so much more than a simple list. You have a tree structure with as elaborate or as simple structure as you wish. You have password auto-typing, automatic clipboard handling, capable and fast search, flexible password generators, to only name a few. Just for fun, I've just fired-up my KeePass, entered its long and secure master password (it's a muscle memory now), searched for an EEVBlog forum entry, copied the password to clipboard and pasted it into the password box. It took me under 15 seconds and I'm usually quicker than that, while not under pressure of timing my actions. It really promotes proper password "hygiene".
If it's free of charge and open source then it sounds like a good solution. :-+
Looks like it's geared towards windows though.

KeePass has became the de-facto standard for password managing, even in the corporate world. It's among the top subjects of the security researchers' scrutiny so there's pretty good chance you can't do much better than this. You can keep your database file on your disk, cloud storage drive (like OneDrive), WebDAV-accessible server or a floppy disk stored at the bottom of Mariana Trench - your call, totally up to you.
How about not storing them on any networked computer at all? ;) (less convenient perhaps, again, it's cost vs risk...)
 

Offline golden_labels

  • Regular Contributor
  • *
  • Posts: 93
  • Country: pl
  • Country: pl
General consensus amongst security experts is it's anything but (further sources linked in the article if you don't trust Microsoft). Forcing regular password changes does more harm than good. Here's just a few reasons it's a generally bad idea: (…)
It should be noted, that the blog post refers to password changes enforced by administrators, not to the idea of changing passwords periodically. The drawbacks listed by Microsoft are well known for years and they are limited to and caused by the enforcement itself. If you use a password manager and random passwords, they are not present.

Whether regular changes are beneficial is a separate issue. The idea is as old as passwords and got slipped into computer security without much thinking. Then it was practiced unquestioned for decades, despite progress in the subject of security removed many reasons for its existence. As an example: while today it is unimaginable, in the past passwords were shared among workers. Periodic password change was addressing this issue. Today the importance may be marginal, but I would say we’re far from any consensus on effectiveness of the method.


Creating a (good) crypto is really hard, so not a good idea. Maybe I'm missing something but I believe those programs only manage a list of passwords for you (encrypted). I don't see the big problem with just having your own list (that you can encrypt if you like)? If you need more security than that you shouldn't be using either imo, but again, it's a lot better than using the same password everywhere.
To add to what Zbig has said, you seem to be underestimating the weight of the first sentence of yours. If you think, that you can mimic behaviour of a working password manager by just applying encryption to a file, a quick question: how do you access data? Unpacking it on your hard drive and copy-pasting? Bad news: that means you are spreading secret all over the system and making it persist unencrypted for a long time. Be happy, that Java applets are no longer supported, because for years on Windows the default policy for Sun’s Java plugin was to allow accessing clipboard — to not aggreviate users.

Also if you need password-based security, a password manager is exactly what you want. Can you offer a better solution?

Like I said in the previous post, if you need to protect something important you should hire a professional!
A password manager is the professional you are hiring.

I don't really care if my personal password management solution is super safe (cost vs risk), it's safe enough for me (it's way overkill actually), and I enjoy rolling my own.
How rolling out and managing your own solution is cheaper than using an existing one?

Worth watching: Calling Bullshit — protect your friends and yourself from bullshit!
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1668
  • Country: se
  • Country: se
  • Hobbyist
Unpacking it on your hard drive and copy-pasting? Bad news: that means you are spreading secret all over the system and making it persist unencrypted for a long time. Be happy, that Java applets are no longer supported, because for years on Windows the default policy for Sun’s Java plugin was to allow accessing clipboard — to not aggreviate users.
Well, encryption tools like PGP GPG can handle that for you. But if you have to worry about that level of secrecy (someone with system level access to your machine) then a password manager isn't safe either, the java plugin is a good example of why.

Besides, don't you find it a little bit disconcerting that these cloud-based password management companies want you to put all of your secrets into their database which they then upload to their server?

Also if you need password-based security, a password manager is exactly what you want. Can you offer a better solution?
Don't store your passwords on a computer that is networked. Pen and paper is pretty cheap and I can guarantee you that it's unhackable.

A password manager is the professional you are hiring.
No, it's a product that someone tries to sell to you. What you need is a professional that can tell you if a password manager is appropriate or not in your particular use case.

How rolling out and managing your own solution is cheaper than using an existing one?
It's free?
« Last Edit: June 07, 2019, 04:01:07 pm by apis »
 

Offline golden_labels

  • Regular Contributor
  • *
  • Posts: 93
  • Country: pl
  • Country: pl
Well, encryption tools like PGP can handle that for you.
Asymetric encryption (this is the main feature of PGP) for a local database is an overkill and, unless you encrypt only the entries (so you can separate reads and writes, per-record)(1), it will be effectively nullified and degraded to symmetric encryption of the keys.

Even ignoring above, PGP tools will still have to decrypt the data to somewhere. Perhaps you have an implementation that can decrypt this to mlock’d/secure memory region(2)(3), possibly even using some more advanced techniques, but that requires a lot of effort (you have to code it) and — in the end — you are writing… a password manager. You can as well use an already written and tested one.

But if you have to worry about that level of secrecy (someone with system level access to your machine) then a password manager isn't safe either, the java plugin is a good example of why.
The Java plugin could access only the clipboard. Passwords shouldn’t be put in a clipboard, if possible, and many password managers have the auto-type feature, which simulates keypresses directly. If the adversary has system-level (or higher level) access, the machine itself becomes untrusted and it shouldn’t be used to supply credentials in the first place — with password managers, without them or any other way that involves treating it as trusted. This is not a counter agrument for using password managers.

Besides, don't you find it a little bit disconcerting that these cloud-based password management companies want you to put all of your secrets into their database which they then upload to their server?
You haven’t criticized cloud-based password-managers. You criticized all password managers. If I or anyone else agrees or not with the above statement bears no significance to the original discussion. Use a fully local password manager and the above argument is defeated.

Don't store your passwords on a computer that is networked. Pen and paper is pretty cheap and I can guarantee you that it's unhackable.
Is that a joke? Should I even respond to a suggestion of writing down passwords on paper?

No, it's a product that someone tries to sell to you. What you need is a professional that can tell you if a password manager is appropriate or not in your particular use case.
I am not sure, how to respond to that. Even if the above would be true with the universal quantifier from your original statement, I can’t really see how selling a product makes it less secure, in particular when compared to some makeshift attempt to create own crypto. And how that doesn’t affect the same case of a professional seeling you their service of advising on password managers. But, as it happens, you do not need to hire them. They already suggest them. Some even have their own, like Password Safe from Schneier.(4)

How rolling out and managing your own solution is cheaper than using an existing one?
It's free?
Only if you do not value your time.

____
(1) Not assuming any specific implementation. The database may be implemented on top of a file system with files as entries.
(2) Or anything similar, depending on the platform you use.
(3) Not claiming that all password managers do that.
(4) Not using it myself.
« Last Edit: June 07, 2019, 02:55:46 am by golden_labels »
Worth watching: Calling Bullshit — protect your friends and yourself from bullshit!
 

Offline digsys

  • Supporter
  • ****
  • Posts: 2031
  • Country: au
  • Country: au
    • DIGSYS
I've been using a simpler system for years ! I make CERTAIN that the email / phone # I provide is correct, then make up a password, using favourite terms,
and add random symbols / characters. When I log in next, if I don't figure it out within 3 retry s, I click "forgot password", and VIOLA .. all reset again :-)
Happens a few times a week, sometimes more. Bonus points - I can NEVER be accused of not changing my password often, and it is not written down :-)
Hello <tap> <tap> .. is this thing on?
 
The following users thanked this post: apis

Offline apis

  • Super Contributor
  • ***
  • Posts: 1668
  • Country: se
  • Country: se
  • Hobbyist
Well, encryption tools like PGP can handle that for you.
Asymetric encryption (this is the main feature of PGP) for a local database is an overkill and
Who said anything about asymmetric encryption? Why bring that up? I was under the impression it could do both (I was actually thinking about GPG though), but maybe that is wrong. In either case it's completely beside the point. There are free encryption programs that lets you view an encrypted file safely and handle all those details for you. So you don't need to buy an expensive password manager solution.

But if you have to worry about that level of secrecy (someone with system level access to your machine) then a password manager isn't safe either, the java plugin is a good example of why.
The Java plugin could access only the clipboard.
I don't use a dedicated password manager so I'm not sure about all the details but Zbig used copying a password as an example just before so I thought it was a good illustration that it isn't perfectly safe either (according to your own example):
I've just fired-up my KeePass, entered its long and secure master password (it's a muscle memory now), searched for the EEVBlog forum entry, copied the password to clipboard and pasted it into the password box. It took me under 15 seconds and I'm usually quicker than that, while not under pressure of timing my actions. It really promotes proper password "hygiene".

Besides, don't you find it a little bit disconcerting that these cloud-based password management companies want you to put all of your secrets into their database which they then upload to their server?
You haven’t criticized cloud-based password-managers. You criticized all password managers. If I or anyone else agrees or not with the above statement bears no significance to the original discussion. Use a fully local password manager and the above argument is defeated.
As I wrote before, I didn't know there were open source and free password managers, those sound good too. My whole argument from the start has been that you don't need to buy an expensive password manager solution to maintain decent security (for the typical private individual). It's my impression that's what the OP wanted to point out as well.

(I think the argument is still somewhat valid though, even if it's fully local, you still trust a third party solution with all your secrets.)

Don't store your passwords on a computer that is networked. Pen and paper is pretty cheap and I can guarantee you that it's unhackable.
Is that a joke? Should I even respond to a suggestion of writing down passwords on paper?
Not a joke. If paper is good enough for the Kremlin it's good enough for me.

No, it's a product that someone tries to sell to you. What you need is a professional that can tell you if a password manager is appropriate or not in your particular use case.
I am not sure, how to respond to that. Even if the above would be true with the universal quantifier from your original statement, I can’t really see how selling a product makes it less secure, in particular when compared to some makeshift attempt to create own crypto. And how that doesn’t affect the same case of a professional seeling you their service of advising on password managers.
Just because someone is selling it doesn't make it insecure but a salesperson is not the same as a professional security consultant. It might be perfectly secure and still a completely unnecessary expense.

Some even have their own, like Password Safe from Schneier.
Password safe from Schneier is also free and open source, so that could also be a good option.

How rolling out and managing your own solution is cheaper than using an existing one?
It's free?
Only if you do not value your time.
Only if it is faster to set up than the alternative.

A plain text file would be good enough for most purposes, like the eevblog password (but not for your bank account). If you also encrypt the file with some reputable free and open source encryption program then I'd say you are doing better than 99.9% of all internet users. If you can get a reputable free and open source password manager then that is also a good option I'm sure. But I don't think you need to pay for an expensive password management solution.
« Last Edit: June 07, 2019, 03:59:30 pm by apis »
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1668
  • Country: se
  • Country: se
  • Hobbyist
I've been using a simpler system for years ! I make CERTAIN that the email / phone # I provide is correct, then make up a password, using favourite terms,
and add random symbols / characters. When I log in next, if I don't figure it out within 3 retry s, I click "forgot password", and VIOLA .. all reset again :-)
Happens a few times a week, sometimes more. Bonus points - I can NEVER be accused of not changing my password often, and it is not written down :-)
What happens if you loose your email account?
 

Online Zbig

  • Frequent Contributor
  • **
  • Posts: 854
  • Country: pl
  • Country: pl
Apis, I'm not going to full dive back into this discussion as it's getting a bit boring and unproductive to be honest, but what's with this "expensive" passwords managers angle? You seriously didn't bother to visit the KeePass site to find out it's completely free or just conveniently chose to keep pretending you don't know that?

There are no drawbacks to using a free and proven password manager and any DYI solution will be a poor attempt at replicating a small subset of its functionality. No offense, but this thread begins to read more and more like a dialog with an elderly relative who's trying to convince everyone that there's no better way of doing things than the way he was doing them since he was a young lad and no need for anything new. Don't store the database on a internet-connected computer? Use pen and paper? Seriously? We're more than a decade past the "I now have some computing to do so I'll hit my computing desk and fire up my desktop computer" times. I have a job and, from time to time, I have to use my private credentials for some internet service from there. I have a smartphone on me at all times and when I need a password for my airline account while on holidays on the other side of the planet, it's right there, in my pocket: encrypted and secure. This is the reality I live in every day. There are no valid cases for using a homebrew password managing solution outside of a hobby realm and no amount of made-up flawed arguments after flawed arguments will change that.

ADDED:
I realize it could be hard finding out there are freely-available, better versions of something you were working on passionately - I've been there. But it's better suck it up and conclude that, well, at least you've learned something along the way, than trying to change the reality around you at the risk of sounding silly.
« Last Edit: June 07, 2019, 09:42:00 pm by Zbig »
 
The following users thanked this post: golden_labels

Offline digsys

  • Supporter
  • ****
  • Posts: 2031
  • Country: au
  • Country: au
    • DIGSYS
Quote from: apis
.. What happens if you loose your email account?
Lose it? Had the domain name for 30+ yrs, so unless I get Alzheimer's, should be good to go :-) plus on some log-ins, I have 2-3 domains / emails listed.
And IF I only had a cheap email addy, with no backups, I'd have a lot more to worry about.
Hello <tap> <tap> .. is this thing on?
 
The following users thanked this post: apis

Offline fixit7

  • Regular Contributor
  • *
  • Posts: 212
  • Country: us
  • Country: us
The trick is to use passwords of 10 characters or more.

Using capital letters, numbers, and special characters makes it virtually unbreakable.

And change it at least monthly.

And don't use any real words in your password.

like $57dogpoop^&
 

Offline apis

  • Super Contributor
  • ***
  • Posts: 1668
  • Country: se
  • Country: se
  • Hobbyist
Apis, I'm not going to full dive back into this discussion as it's getting a bit boring and unproductive to be honest, but what's with this "expensive" passwords managers angle?
Yes it is getting silly, I've already written two times now that I didn't know there were free open source alternatives and those seems great. :-+ I don't think most people need to pay for a password manager to be sufficiently safe though. For the convenience of syncing with all your devices, sure, but not for security. Several alternatives have been mentioned here, some better than others, but all of them free.

I checked lastpass now, they charge 3$/month, 3$ might sound like very little but it quickly adds up. I would also be surprised if you could easily transfer your passwords to another service, so you would find yourself locked into their service. You have to trust them with all your secrets and should the company go down you could potentially have trouble accessing your passwords.
 

Offline golden_labels

  • Regular Contributor
  • *
  • Posts: 93
  • Country: pl
  • Country: pl
The trick is to use passwords of 10 characters or more.
A traditional minimum length for random passwords is 8 characters. The current NIST”s policies permit as low as 6, but that is only under an assumption, that the system has working rate limiting(1). The key is high entropy and password length has to be expressed in terms of that value. There is no one-fits-all solution and even the good, old “8 characters” is now missing foundations other than being well tested.

Using capital letters, numbers, and special characters makes it virtually unbreakable.
That topic has been discussed earlier. While using larger alphabet increases possible passwords space, it is not the only factor to consider. If you are using a password manager and generate long passwords randomly, use as huge alphabet as you want. At least as long the target sytem supports all the characters. Be careful with a backslash, a percent sign, a quotation mark, an apostrophe, an ampersand and some other character that may be rejected or handled inproperly by badly designed systems.

No, those characters do not magically make a password “virtually unbreakable”. They make easy to overcome in the simplest attack, while a properly chosen lowercase-only password will protect you much longer… and will be easier to remember, if needed. After all you need to memorize at least a few passwords, the one to the password manager being one of them. The key to high cost and low probability of breaking is, as stated above, high entropy. Actually a 21-word passphrase chosen using diceware (only short, lowercase English words!) or a 40-character password of A-Za-z0-9 +others is… unbreakable using brute force within the current physics regime(2). For everyday security you do not need that much.

If you are not using a password manager, using too large alphabet will make password hard to remember, but will add very little entropy bits to it. High cost for little gain.

And change it at least monthly.
Except that it is very hard to follow the policy of changing passwords monthly, can you provide any reason to use that value? In particular in the context of already provided arguments of either dropping the policy altogether (in most cases it harmful) or seriously considering pros and cons of using it. Also, if you are afraid of a password being leaked so much, that you want to change it each month, what are you doing with your keypairs or certificates? A time to distribute a public key is more than a month. Getting certificates each month is prohibitely expensive for nearly everyone and in some cases CA policies do not allow that at all. But, obviously, you must follow the same principles in their case.

And don't use any real words in your password.
Actually you may use standard English words in your password and use only lower case letters. And you will have a password stronger than “MN49%b5$*8#r$”.
____
(1) Don’t think it is as easy to implement, as you think. Blocking bruteforcing of a single account seems pretty straighforward, but still with some caveats (a simple 3-attempts rule may DoS your system). Doing the same for reverse-bruteforce attacks — not so much, especially against a stealthy adversary with resources.
(2) Iterating all those passwords is alone would require the amount energy that is unimaginably great, even if the hypothetical iterating machine would be the most efficent possible. And current computers are not even close. Even half of that length would require dedicating USA’s yearly energy output to just iterating the possible passwords. Of course new discoveries may invalidate the principle or advances in comutation may permit overcoming it, but do not expect miracles soon. And even if that principle fails, still chances of a random bit in RAM getting flipped by cosmic radiation and allowing an invalid password are higher than finding the password.
« Last Edit: June 09, 2019, 03:46:10 am by golden_labels »
Worth watching: Calling Bullshit — protect your friends and yourself from bullshit!
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf